Conventional Wireless sensor networks (WSNs) comprise wireless sensor and actuator nodes that wirelessly communicate with each other enabling different applications such as pervasive healthcare or smart lighting environments. For instance, a medical sensor network (MSN) is a wireless sensor network where patients are equipped with wireless medical sensors (WMSs) that measure, process and forward users' vital signs in real time. Clinical staff can monitor patient's vital signs by means of, e.g., PDAs or bedside monitors.
In this particular context, the provision of basic security services such as entity identification, authentication and access control to wireless sensor networks are essential. Indeed, such a network must be robust and secure enough to prevent attackers from gaining control over the network. General data protection policies such as the European directive 95/46 or healthcare rules such as HIPAA in the United States must be taken into account when designing security systems for MSNs. For instance, only authorized doctors should be able to monitor patient's vital signs.
To enable the network to be robust, the distribution of encryption keys is crucial. These encryption keys are used to establish an encrypted connection between two nodes, avoiding thus eavesdropping. Thus, key distribution among the nodes is the security's cornerstone as it defines how to distribute the cryptographic keys used to enable those security services. However, the efficient provision of both key distribution and security services is challenging due to the resource-constrained nature of wireless sensor nodes as WMSs in MSNs.
α-secure key distribution schemes (KDSs) have been identified as a feasible option for key distribution and key agreement in wireless sensor networks such as medical sensor networks (MSN). These schemes offer a trade-off between scalability, resilience, connectivity, and computational overhead. In α-secure KDSs, nodes do not share ready-made keys. Instead, nodes are provided with some node-specific information that allows them to compute a shared key with any other node in this security domain on input of that node's identifier. This node-specific information is derived from a keying material root (KMRoot) and the node-specific keying material share for node i is denoted by KM(i). Hence, the different keying material shares KM(i) are all different but correlated. This approach is especially interesting for mobile wireless sensor and actuator networks due to different reasons including: (i) its efficiency on resource-constrained wireless sensor nodes; (ii) its feasibility in mobile scenarios such as patient monitoring or wireless control networks addressed by the ZigBee Alliance where both scalability and distributed operation are key features.
FIG. 1 depicts the main operation phases of an α-secure KDS. During a first phase or set-up phase, a trust center (TC) generates a root keying material (KMroot). From KMroot, the TC generates a different (but correlated) keying material share, KM(i), for each and every node, i, in the security domain, with i=1, . . . , N. Afterwards, the TC distributes a set of keying material share to each node. This distribution is carried out to increase the robustness of the system. In general, a node carrying a keying material share, KM(i), is identified by IDi. An α-secure KDS can be created by using as KMroot a symmetric bivariate polynomial f(x,y) of degree α over a finite field Fq with q large enough to accommodate a cryptographic key. Given f(x,y), a TC can generate up to q different keying material shares by evaluating f(x,y) in different values of the x variable with 1≦×≦q, i.e., KM(i)=f(i,y) and ID(i)=i. Note that other α-secure KDS can be used in order to minimize the computational requirements of the system.
In the second phase, the operational phase, any pair of arbitrary nodes in this security domain, A and B, can exploit their respective keying material shares to agree on a common key in a distributed fashion, i.e. without further TC involvement. To this end, both nodes obtain the identity of the peer by exchanging them, as part of a binding process or similar processes. Afterwards, they use their respective keying material shares in combination with the identities to generate a pairwise key.
For instance, we can assume again that a symmetric bivariate polynomial f(x,y) is used as root keying material, and nodes A and B carry the keying material shares f(A,y) and f(B,y) respectively. Firstly, both parties obtain their corresponding identities, i.e., B obtains A's identity IDA=A, and A obtains B's identity IDB=B. Then, each device can generate a common key in a distributed manner by evaluating its polynomial share in the identity of the other device, i.e., node A evaluates its polynomial share f(A,y) in y=B and node B evaluates f(B,y) in y=A. Therefore, both nodes agree on a common key K=f(A,B)=f(B,A). Finally, both nodes can use K to authenticate to each other by means of, e.g., a challenge-response authentication handshake, or derive a session key to enable confidentiality.
However, the evaluation of polynomials over a finite field Fq with q large enough to accommodate a complete cryptographic key is computationally expensive on resource constrained devices (CPUs with small word size, e.g. 8-bit) as it requires the software implementation of modular multiplications with large operands.